What Is GDPR ?

GDPR stands for General Data Protection Regulation, the EU legislative instrument that has, since May 25, 2018, replaced the European directive on data privacy of 1995. Because it is a Regulation – and no longer a Directive – it is, subject to a limited number of “national derogations”, automatically applicable across all 27 Member States of the EU, and aims to simplify the legislative European framework on data privacy, which under the directive was a patchwork of European and of 28 (at the time) national laws and regulations.

The GDPR does not however reach the level of uniformity it had set out to achieve, a number of areas remaining matters for Member States to regulate at the national level, those famous “national derogations“. As a result, since May 25th, 2018, companies processing the personal data of European residents need to comply with the GDPR, but also with any applicable EU countries’ privacy laws and regulations in those areas that remain discretionary matters for Member States to regulate.

Our GDPR Compliance Program will do just that: ensure that you comply not only with the GDPR but also with the evolving landscape of applicable national EU Member States’ privacy laws and regulations.

For more information, please download our GDPR brochure here. You can also view our Glossary of GDPR-related terms here. And here is an article we wrote on the importance to hire EU counsel to assist with your GDPR compliance.

Why You Will Want to Comply

BEFORE: Some countries had fines for violations of privacy laws but these were relatively low.

SINCE MAY 25TH, 2018: The GDPR imposes fines up to the greater of: 2% of the company’s worldwide revenue or 10 millionOR 4% of the company’s worldwide revenue or 20 million.

The above thresholds will vary depending on the nature of the breach.

Compliance Plan: How to Comply in Two Steps

At the end of this review, we would have conducted a pre-audit assessment of your company’s processing practices, the types of processing performed, the purposes of the processing, and determined know how much of the processing is done internally versus outsourced to third-party processors. We will then be able to give you an estimate of the budget necessary to pursue with our compliance plan.

This assessment will give us a picture/an overview of :

What:

  • Your current privacy practices are
  • Your current level of privacy compliance is
  • Your data flows are
  • Your company’s internal and external data flows are
  • Level of data security you have implemented

Who:

  • Your company’s decision makers in terms of privacy are
  • Is responsible to manage the company’s information governance program
  • Your third-party processors are and the level of their involvement in your overall processing activity

How:

  • Information governance is managed
  • You secure the data
  • You keep track of your internal and external data processing

Where:

  • The data you process is going, both internally and externally

This step is very interactive. We need to get a better understanding of your company and its privacy practices INCLUDING who processes what, for what purposes, where, and for how long.

Going Further

If you need more assistance, we can provide you with ad-on modules to comply with EU laws on an on-going basis, including:

  • Various trainings on several parts of the regulation: these trainings can be adapted to your company, industry sector, business activity, and processing practices. They could be delivered on a monthly, bi monthly or another regular basis to be agreed with your team.
  • Data Protection Officer (DPO) services: We are able to act as your externalized DPO. This service will help you comply with EU privacy laws from both the U.S. and the EU.

We provide our services on a subscription basis. Please be aware that these optional services are only available to companies that went through steps 1 and 2, whether with us or independently.

Our Key Differentiators

  • Our dual admission as lawyers in both Europe (the EU and the UK) and North America (the U.S. and Canada), combined with our professional experience gained on both continents, allows us to be best positioned to advise U.S.and Canada-based companies in their operations in the EU and the UK, including on how to comply with local laws within the EU
  • Our expertise in both EU/UK and U.S./Canadian privacy laws and regulations allows us to help U.S. and Canadian clients comply with their obligations in both the EU/UK and the U.S./Canada
  • Our combined physical presence in both Europe and the U.S. allows us to be located in close proximity to our clients and their local operations, and to advise them both in the U.S./Canada and within the EU/UK